From 06cdc41259f023291cf6ecbaa8f170bfa26dfd29 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Sun, 17 May 2026 12:15:02 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on 2 workflows

Pins the default GITHUB_TOKEN to contents: read on workflows that don't
call a GitHub API beyond the initial checkout. Other workflows that need
write scopes are left implicit for a maintainer to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection, and are credited per-file by the OpenSSF
Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/push.yml       | 4 ++++
 .github/workflows/shellcheck.yml | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 32073b8c7..6ef0d6f3d 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -4,6 +4,10 @@ on:
     branches-ignore:
       - "dependabot/*"
   pull_request:
+
+permissions:
+  contents: read
+
 jobs:
   Python:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index ac7d32776..6901c0099 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -11,6 +11,9 @@ on:
       - '.github/workflows/shellcheck.yml'
       - '.shellcheckrc'
 
+permissions:
+  contents: read
+
 jobs:
   shellcheck:
     runs-on: ubuntu-latest